Main Vulnerability Database SB2021070126

SB2021070126 - Insufficient Entropy in libtpms

Published: July 1, 2021

Security Bulletin ID SB2021070126

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficient Entropy (CVE-ID: CVE-2021-3505)

The vulnerability allows a local user to decrypt data.

The vulnerability exists in the TPM 2 implementation, which returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check.

Remediation

Install update from vendor's website.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1950046
https://github.com/stefanberger/libtpms/issues/183
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUCZX4S53TUNTSGTCRDNOQZV2V2RI4RJ/